Booker, a former CISO at UnitedHealth Group, says the assault additionally serves as a blaring reminder to healthcare organizations to “be sure you concentrate on the fundamentals and important security measures, like multifactor authentication, have them the place you want them, which is in all places, and have a strategy to know that what you’re doing is correct, have an assurance capabilities that reveals your stuff is working.”
Requires extra healthcare organizations to tighten security
Authors of the HIMSS report additionally known as for extra to be performed, as an example, writing that “whereas virtually two-thirds of respondents indicated that their board of administrators are repeatedly briefed relating to cybersecurity threat, this quantity must be increased. Ideally, extra healthcare organizations will embark upon the proactive journey of repeatedly briefing their boards of administrators.”
The authors moreover known as out the necessity for extra provide chain threat administration: “Lower than half of respondents (41.92%) to this survey indicated that their group has established a cybersecurity provide chain threat administration program. The rest of respondents (58.08%) indicated that they both didn’t have such a program or have been uncertain. The chance of not having a sturdy cybersecurity provide chain administration program is that there could also be an excessive amount of dependency on one vendor or provider.”
And HIMSS officers advocated for healthcare entities to undertake the NIST Cybersecurity Framework Model 2.0 and the just lately launched US Division of Well being and Human Companies’ voluntary cybersecurity efficiency objectives (CPGs).
Others agree that such strikes must occur — and occur quick.
Sen. Ron Wyden, a Democrat representing Oregon and certainly one of many US lawmakers calling for extra scrutiny of UHG within the aftermath of the assault, has criticized the sluggish tempo of motion. He has faulted the Biden administration’s timeline for placing healthcare cybersecurity laws — saying the yearend purpose is simply too far out.
“Each new devastating hack hammers residence the necessity for obligatory cybersecurity requirements within the healthcare sector, significantly on the subject of the most important firms that tens of millions of sufferers rely on for care and medication,” Wyden says in a press release to CSO. “With out motion, sufferers’ entry to care and their private well being data can be compromised and ransomed by hackers again and again.”
Weiss says healthcare security leaders and different sector executives received that message and they’re working to study classes from the Change Healthcare incident and to implement extra security measures to enhance their very own security posture and their very own resilience.
Benjamin Luthy, program director of cybersecurity and an adjunct professor at Champlain Faculty On-line, says it’s a worthwhile train: “Everybody can study a lesson; anybody who leads a security or data know-how program can study from this.”
